Cyber threats continue to grow in complexity and frequency, affecting individuals, businesses, and even governments. Understanding the most common types of cyber attacks, and how they work, is essential for building effective defences. Below is an overview of the key attack types.
These attacks overwhelm a system with excessive traffic, making it slow or completely unavailable to users. DDoS attacks are more sophisticated, using multiple systems to launch the assault simultaneously. A system becomes so overwhelmed it cannot deal with the traffic and shuts down, or just lets the requests through as it cannot check them.
An attacker secretly intercepts communication between two parties, allowing them to monitor, alter or steal information. This is especially dangerous over unsecured public Wi-Fi networks.
A form of social engineering where attackers impersonate trusted entities in emails or messages to trick users into revealing sensitive information or clicking malicious links.
A targeted phishing attack aimed at high-level executives or decision-makers, often to trick them into transferring funds or handing over access credentials.
Unlike standard phishing, these attacks are highly personalised. Attackers research the victim to craft convincing messages, increasing the chances of success. An example is a fake job offer.
A type of malware that locks or encrypts data and demands payment for its release, often in cryptocurrency. Victims face data loss or costly downtime.
🛑 WannaCry ransomware attack
Attackers use techniques like brute force (attackers systematically guessing every possible password until finding the correct one, see number 12), credential stuffing or password spraying (both rely on leaked username/password pairs from data breaches) to gain unauthorised access. Simple or reused passwords are especially vulnerable.
Attackers exploit flaws in a website’s database query system to gain unauthorised access to data such as usernames and passwords.
Hackers change parts of a website URL to gain access to restricted areas. Poorly protected admin pages are often targets.
Attackers corrupt a domain name system (DNS) to redirect users to fraudulent websites, where sensitive data can be harvested.
Hackers take control of a user’s session with a website, often by stealing session cookies. This allows them to impersonate the user and access private systems.
💻 Zoom-bombing during COVID-19
This method involves repeatedly trying different passwords until the correct one is found. Tools can automate this using common wordlists or patterns.
Targeting flaws in websites and online services, these attacks include techniques like XSS (Cross-Site Scripting, see number 17) and SQL injection (see number 8).
Employees or contractors with legitimate access can pose a threat, whether intentionally or through negligence. Social engineering plays a major role. All it would take is a hacker to manipulate one person in a system to attack it from the inside.
🕵️ Twitter/X employee breach
Malware disguised as legitimate software. Once downloaded, it can open a backdoor for attackers or install additional malicious programs.
Malicious code is hidden on compromised websites and automatically installs when visited, no interaction needed.
This attack injects malicious scripts into trusted websites. If a user clicks the link, the script executes in their browser, often stealing session data.
🔗 The Samy Worm on MySpace
Intercepting network traffic to gather confidential information. Can be passive (monitoring only) or active (modifying or injecting data).
A birthday attack exploits the fact that hash functions can produce the same output (a collision) for different inputs. If an attacker finds a matching hash, they can replace the original data without detection.
The name comes from the birthday paradox: in a group of just 23 people, there's a 50% chance two people share a birthday, highlighting how collisions are more likely than expected.
An umbrella term for malicious software like viruses, worms, ransomware, and spyware. Malware can disrupt, damage, or gain unauthorised access to systems.
We’re approved contractors to US Federal Government CAGE code 88BP5 “Social Simulator Inc, The”
